IAM policy grants 'AssumeRole' permission across all services

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-aws-iam-policy-grants-assumerole-permission-across-all-services

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Access Control

Learn More

Description

Policy statements that use a wildcard principal (*) with Effect set to Allow grant trust or permissions to any AWS principal. This can enable unauthorized accounts or external services to assume roles or perform actions, increasing the risk of privilege escalation and data exposure.

In Ansible resources amazon.aws.iam_managed_policy and iam_managed_policy, check the policy.Statement[].Effect and policy.Statement[].Principal.AWS properties. Statements must not have an Allow effect combined with Principal.AWS equal to or containing "*". This rule flags managed policy resources where any statement authorizes "*" as a principal. Replace wildcards with explicit principals such as AWS account IDs, ARNs, or specific service principals to limit trust to known entities.

Compliant Code Examples

- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: ManagedPolicy
    policy:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: logs:CreateLogGroup
        Resource: '*'
    make_default: false
    state: present

Non-Compliant Code Examples

- name: Create IAM Managed Policy
  amazon.aws.iam_managed_policy:
    name: my-iam-policy
    policy_name: "ManagedPolicy"
    policy:
      Version: "2012-10-17"
      Statement:
      - Effect: "Allow"
        Action: "logs:CreateLogGroup"
        Resource: "*"
        Principal:
          Service: "ec2.amazonaws.com"
          AWS: "*"
    make_default: false
    state: present